6

I've been using PHPass to hash my passwords for a long time. I admit that there's still things I don't fully understand (or ignore) to hash a password properly so today I was reviewing all the info I could find about it.

Reviewing PHPass documents, I've steped into this:

Besides the actual hashing, phpass transparently generates random salts when a new password or passphrase is hashed, and it encodes the hash type, the salt, and the password stretching iteration count into the "hash encoding string" that it returns. When phpass authenticates a password or passphrase against a stored hash, it similarly transparently extracts and uses the hash type identifier, the salt, and the iteration count out of the "hash encoding string". Thus, you do not need to bother with salting and stretching on your own - phpass takes care of these for you.

I've bolded the sentence that bothered me.
I always though that the salt should be somewhat secret, in the sense that it should not be known to the attacker. So if a understood correctly, PHPass stores the salt used in the same hash so it is able to use it when comparing passwords and check if valid.
My questions are

  1. Is this secure? If the hash is compromised, the attacker has the salt used to hash the password... There's something I miss here.
  2. I'm here really free to bother about salting passwords? Can I really rely on PHPass?
Pherrymason
  • 7,835
  • 8
  • 39
  • 57
  • With adding `salt` you add one more layer in security. This is the main principle of `Defense in Depth`. But if _phpass_ already adds salt, it won't add another layer. – Leri Aug 27 '12 at 10:27
  • 1.) About which kind of security are you concerened? Can you make that more concrete? - 2.) Can you answer with confidence the following question within a fraction of a second with yes or no: "Is Phpass using a salt?" - Say how certain and how quick you can answer it and as well the answer. – hakre Aug 27 '12 at 10:33
  • @hakra I'm refering to the act of storing the salt together with the password. I always though that storing it in different places (read DB fields for example) was better. – Pherrymason Aug 27 '12 at 10:50
  • @Raúl How would storing the salt simply in a separate DB field (I assume in the same table) enhance the security in any significant way? – deceze Aug 27 '12 at 10:52
  • @deceze I don't know, that's why I was asking... ;) – Pherrymason Aug 27 '12 at 10:54
  • Two different DB same-row-columns (as in your example) is technically the same place I'd say. But you did not ask about db columns, but about salt in Phpass :) – hakre Aug 27 '12 at 10:54
  • 1
    I've known developers that interpret the salt wrongly, as doing `$hash = md5(SECRET_SALT . $user_password)`, where SECRET_SALT is a secret constant across the application. So if an attacker discovers it he/she can use it to bruteforce passwords, but that's not the way to use salts. Salts should be random and different for each user, and it does not matter if they are public or not. – Carlos Campderrós Aug 27 '12 at 10:56

3 Answers3

3

A little background
A salt is not meant to be secret, instead, a salt 'works' by by making sure the hash result unique to each used instance. This is done by picking a different random salt value for each computed hash.

The intention of the salt is not compromised when it is known; the attacker still needs to attack each hash separately. Therefore, you can simply store the salt alongside the password.

So, is PHPass secure?
YES! PHPass (according to the best practices) generates a strong random salt for you. It is a well reviewed and good quality library.

Links of interest:
How to securely hash passwords?
How to store salt?
Password Hashing add salt + pepper or is salt enough?
Salt Generation and open source software

Community
  • 1
  • 1
Jacco
  • 23,534
  • 17
  • 88
  • 105
1

If I understand correctly, salts are primarily used to thwart precomputed hash/rainbow tables attacks. As long as the hash that is used is generated so that it is reasonably globally unique (not hardcoded in PHPass for example), you're OK.

1

The purpose of a salt is not to be a secret. The purpose is to add a unique component to each hash input, so identical passwords will not hash to identical hashes, thereby making the brute-force process more difficult and time consuming since each hash has to be tried individually.

Yes, it would be marginally more secure if the salt was secret, but that's hard to realize in practice, since your application needs the salt as well, so it needs to be stored somewhere where the password is accessible as well. Therefore, in practice, when the attacker gets the password hash, he's typically also able to get the salt anyway.

deceze
  • 510,633
  • 85
  • 743
  • 889